Unix: Rootkits -- Still scary after all these years

If you haven't worried about rootkits in a while, what are you waiting for? Rootkits remain one of the stealthiest and most worrisome forms of malware compromising systems today.

ITworld|March 3, 2013

Don't think viruses, Trojans and APTs are the only security problems that you need to worry about these days. Rootkits are still one of the most stealthy, potentially damaging and ultimately viable problems that can plague your systems. And they don't just infect Unix systems. Windows systems are also vulnerable to rootkits with the same concerns for detection that have made them such a problem on Unix systems. In fact, smart phones are just as vulnerable to rootkit attacks as the operating systems in your data center.
A rootkit is a piece of software (or a set of software components) that is able to hide within your operating system, often disguising itself as a kernel module or residing only in memory. Rootkits can also hide their presence by removing records from log files, failing to display when you type “ps –ef”
The name "rootkit" derives from the problem's historic roots on Unix systems where "root" is, of course, the power user and "kit" represented the suite of tools that co-opted root's authority. The first known rootkit was engineered in 1990. Since then, things have only gotten worse as now there are plenty of rootkits -- including many that one can download -- and, as with other forms of malware, detection tools have problems keeping up with the known rootkits, never mind the problem of recognizing new ones.
Since rootkits can sometimes thwart the activities of tools meant to identify them, detection is extra difficult and sometimes relies on the use of a trusted operating system to evaluate the potentially infected one. Other methods might involve evaluating the behavior or a system, looking for differences between systems that should be fairly identical, analyzing the content of memory and looking for signatures.
Not everything that might be labeled a "rootkit" is bad, though this term has pretty much come to equate to malicious in most peoples' eyes. However, some rootkits are not malware at all. Copyright protection systems may, for example, hide themselves for legitimate reasons. On the other hand, it's taken me until the 5th paragraph of this posting to even mention that rootkits can be good -- or, at least, benign. The term is rarely used in anything other than a negative context.
Rootkits don't generally install themselves. Instead, they are often part of a what has come to be called a "blended threat" -- an approach that uses several varieties of malware together to leverage the benefits of each. Often a "dropper" is used to install the rootkit. It carries the rootkit along as data and installs it when some action is taken to kick the infection into action. So, the infection often starts with clicking on a link or invoking a Trojan.
Rootkits can run in user mode or kernel mode. The user mode rootkits are generally the simpler ones and easier to detect. Kernel mode rootkits run more or less on par with the operating system, making them extremely difficult to isolate. A variation, called "bootkits" can attack even a full disk encryption system by replacing the boot loader. In fact, rootkits can even been shown to be effective on virtual systems by hosting the target operating system as a virtual machine.
Tools built to detect rootkits can be free or frightfully expensive, so difficult to use that you need a consultant to help you tell the good stuff from the bad stuff, or simply ineffective against all but the oldest or most common rootkits. While many of these tools might prove to be quite valuable in detecting and removing rootkits, a system hardening process that significantly lessens the chance that a system you manage is targeted should be set in motion as a first step toward keeping the nasty rootkits at bay.
Rootkits have somehow kept a low profile -- at least in the eyes of the typical computer user, maybe in part because they are paired with other infections that get credit for what they do. But they are just as much, in fact considerably more, of a problem as ever.

Sandra Henry-Stocker has been administering Unix systems for over 25 years. She describes herself as "USL" (Unix as a second language) but remembers enough English to write books and buy groceries. She currently works for TeleCommunication Systems -- a company that builds innovative technologies to make critical connections happen -- where no one else necessarily shares any of her opinions.

The opinions expressed in this blog are those of the author's and do not necessarily represent those of ITworld, its parent, subsidiary or affiliated companies.